A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.
Legal claims defining the scope of protection, as filed with the USPTO.
1. At least one non-transitory machine accessible storage medium having instructions stored thereon for detecting malicious code in a script, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform a method comprising: evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script; detecting a function called by the compiled script; executing the function and performing an evaluation of the function; detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
2. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the instructions, when executed by the at least one processor, cause the at least one processor to: store first information associated with the compilation event in a compilation event queue; and store second information associated with the execution event in an execution event queue.
3. The at least one non-transitory machine accessible storage medium of claim 2 , wherein the compilation event queue and the execution event queue are integrated.
4. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature indicates a threshold number of times the function is called.
5. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature indicates a location of the execution event relative to another execution event detected during the execution of the compiled script.
6. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature is configurable by a user.
7. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the instructions, when executed by the at least one processor, cause the at least one processor to: pass the parameter to the function, wherein the execution event is based on a predetermined threshold length of the parameter.
8. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the function decodes data, and the execution event is based on a predetermined threshold length of a string resulting from the function.
9. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the function concatenates data, and the execution event is based on a predetermined threshold length of a string resulting from concatenated data.
10. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the instructions, when executed by the at least one processor, cause the at least one processor to: prior to executing the function, pass control of the function to a function evaluation module based on detecting code hooked in the function; and pass control from the function evaluation module to the execution engine when the function finishes executing.
11. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature is verified based, in part, on a distance between the execution event and one or more other execution events.
12. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature is verified based, in part, on a weight assigned to the function, wherein the weight represents a relative importance of the function.
13. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the function is one of one or more relevant functions called by the compiled script, wherein each relevant function is associated with respective code that causes control of the particular relevant function to be passed from the execution engine to a function evaluation module.
14. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the correlation signature indicates both the compilation event and the execution event are malicious.
15. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the compilation event indicates the script includes an evasion technique.
16. The at least one non-transitory machine accessible storage medium of claim 1 , wherein the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.
17. An apparatus for detecting malicious code in a script, the apparatus comprising: one or more processors; and one or more memory elements including instructions stored therein, wherein the instructions are executable by at least one of the one or more processors to evaluate a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiate an execution of a compiled script resulting from a compilation of the script; detect a function called by the compiled script; execute the function and perform an evaluation of the function; detect an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verify, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
18. The apparatus of claim 17 , wherein the instructions are further executable by at least one of the processors to: store first information associated with the compilation event in a compilation event queue; and store second information associated with the execution event in an execution event queue.
19. The apparatus of claim 17 , wherein the instructions are further executable by at least one of the one or more processors to: pass the parameter to the function, wherein the execution event is based on a predetermined threshold length of the parameter.
20. The apparatus of claim 17 , wherein the compilation event indicates the script includes an evasion technique, and the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.
21. A method of detecting malicious code in a script, the method comprising: evaluating a left side variable name of an assignment statement in the script or a right side value of the assignment statement to produce a result indicating a compilation event; initiating, by an execution engine, an execution of a compiled script resulting from a compilation of the script; detecting a function called by the compiled script; executing the function and performing an evaluation of the function; detecting an execution event during the evaluation of the function, wherein the execution event is detected based on a parameter passed into the function, a result of the function, data written or replaced by the function, or data calculated by the function at least meeting or exceeding a predetermined threshold length or size; and verifying, against a correlation signature defining a combination of events that indicate the script is malicious, a time or a location in the script of an occurrence of the compilation event relative to the execution event.
22. The method of claim 21 , further comprising: storing first information associated with the compilation event in a compilation event queue; and storing second information associated with the execution event in an execution event queue.
23. The method of claim 21 , wherein the compilation event indicates the script includes an evasion technique, and the execution event is detected based on at least the parameter in the script meeting or exceeding the predetermined threshold or size.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 16, 2014
November 27, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.